GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Reflexive Access-Lists posted 03/11/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


The whole idea of Reflaxive List is to allow the packets originated behind the
originator device.


For example,

If I am required to allow only telnet packets from the outside network to one
of my routers behind the Internet router.


ISP router ----------------------------------(S0) (My Internet router)
(E0)--------------------------------(E0) (My Edge router) (E1)------Local LAN
where telnet server resides at 172.16.10.25.  I could do this:


IP access-list extended INBOUND
permit tcp any any reflect REFLEXIVE

IP access-list extended OUTBOUND
permit tcp any host 172.16.10.25 eq Telnet------------->  This is per
Documentation, but I don't seem to agree with that.  To me, it should be like
that
                                                                             
  "permit tcp host 172.16.10.25 eq telnet any".  The reason is because when a
host at ISP originates
                                                                             
   a request  with the host being the SOURCE and telnet server being the
DESTINATION and when the server
                                                                             
   replies back to the request coming from the host it then becomes the SOURCE
and host becomes the
DESTINATION.
                                                                             
   That is the basic rule I learned when started configuring access-list, but
why we wouldn't apply the same
                                                                             
   logic for reflexive access-list.  I know I am wrong but needs some
expalanation.
evaluate REFLEXIVE


int e0
ip access-group INBOUND in
ip access-group OUTBOUND out

Regards,

Ahmed